Reputation: 443
Consul acl_agent_token setup on bootstrap
I'm attempting to setup a Consul 1.0 cluster in ECS using Terraform. I am able to get Consul up and running as a cluster, but I am running into ACL errors, as documented here. The problem I am having is running the associated curl scripts to create a token with the proper rules, saving that outputted token, and running it on every member of the autoscale group both for the first time and every time the group scales up.
Does anyone have any suggestions on how to get this knocked out?
Upvotes: 0
Views: 434
Answers (2)
Reputation: 443
So what I ended up doing was creating a lambda script to handle 2 types of events: bootstrap and adding new nodes, which is triggered by either a local_exec in TF (bootstrap) or an autoscaling group sns notification (add new node). The bootstrap function stored the acl_agent_token in an SSM Parameter Store and applied it initially to the members of the cluster. The function that adds new nodes queries the parameter store and adds the node via the rest api.
Upvotes: 1
Reputation: 325
One way of implementing this is storing the created token in Vault or S3 (encrypted with KMS) add a few lines to user data to retrieve it back, locking it down with the appropriate IAM policies.
Upvotes: 0
Related Questions
- Terraform unable to assume roles with MFA enabled
- Unable to use terraform with AWS IAM role with MFA configuration
- Consul service fails to start
- Token support in spring cloud consul
- Consul and EC2 instance
- How to register a Consul service against a new node?
- Eureka to Consul issue for spring cloud
- How to set up Terraform "COMMAND: REMOTE CONFIG" with consul
- ACL not getting enabled in consul
- consul first bootstrap with spring cloud config